Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1523484 - do not treat CN as DNS name for non-server certs, r=ueno
libpkix, when validating a leaf certificate against the CAs' name constraints, treats the Subject DN CN attribute as a DNS name. This may be reasonable behaviour for server certificates, but does not make sense for other kinds of certificates (e.g. user certificates, OCSP signing certificates, etc.) Update the libpkix name constraints checker to only treat the CN as a DNS name for server certificates (i.e. when id-kp-serverAuth is asserted in the Extended Key Usage extension). For compatibility, the behaviour is unchanged (i.e. CN is still treated as a DNS name) when the certificate does not have an Extended Key Usage extension. --HG-- extra : amend_source : c2bbd69eec528ce9be7c89d3d1aa7742c9eb4c49
- Loading branch information
1 parent
2368eab
commit 54d34e3
Showing
4 changed files
with
42 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.